Krebs on Security

In-depth security news and investigation

eBay Asks Users to Downgrade Security

Last week, KrebsOnSecurity received an email from eBay. The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

In early 2007, PayPal (then part of the same company as eBay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. In fact, I wrote about this development back when I was a reporter at The Washington Post:

“Armed with one of these keys, if you were to log on to your account from an unfamiliar computer and some invisible password stealing program were resident on the machine, the bad guys would still be required to know the numbers displayed on your token, which of course changes every 30 seconds. Likewise, if someone were to guess or otherwise finagle your PayPal password.”

The PayPal security key.

I’ve still got the same hardware token I ordered when writing about that offering, and it’s been working well for the past decade. Now, eBay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA).

The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).

I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.

“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs. To that end, we’ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.”

I think I’ll keep my key fob and continue using that for two-factor authentication on both PayPal and eBay, thank you very much. It’s not clear whether eBay is also phasing out the use of Symantec’s VIP Security Key App, which has long offered eBay and PayPal users alike more security than a texted one-time code. eBay did not respond to specific questions regarding this change.

Although SMS is not as secure as other forms of 2FA, it is probably better than nothing. Are you taking advantage of two-factor authentication wherever it is offered? The site twofactorauth.org maintains a fairly comprehensive list of companies that offer two-step or two-factor authentication.

This entry was posted on Wednesday, March 22nd, 2017 at 1:59 pm and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

105 comments

I also ordered the PayPal keyfob when it became available years ago. But one time I didn’t have it with me, and I was able to click on a “forgot my keyfob” link and login with just my password!!! It sent an alert email, but that was it. It didn’t seem worth carrying it around after that. Does it still have that bypass option?

I work for a large international corporation’s security division and I can confidently say that they checked your login pattern, IP address, purchase history etc. and it did not trigger any security flags, that’s why you were able to login successfully, even without your token, just using your password. Nothing to worry about it. You have buyer protection, seller protection and unauthorized purchase protection there.

I remember your Washingtonpost Post article about these fobs way back in the day, and it prompted me to order one for $5. Like your fob, mine is still working great, a decade later. I use it for both PayPal and EBAY. I too received the email from EBAY about the “switch”, and just deleted the email. Like you said, this seems like a security downgrade.

Crazy Prediction: I can see a strong business model for consumer focused federated identity services where someone could subscribe to a service that 1) verifies (proofing) your identity, 2) issues a PKI token (software or hardware), and 3) negotiates federated trust to web services of all shapes and sizes to allow subscribers to authenticate using their token.
I have a feeling Google is likely working on that kind of service, along with the folks at Facebook. But I do not think we have yet seen the full package that may come of their efforts.

Note: I am partial to PKI based tokens because such an implementation could also be leveraged to provide digital identity and data encryption/decryption capabilities.

Imagine a token that allows you to
1) authenticate to many different resources in a fairly secure manner
2) digitally sign anything
3) encrypt an email that only the receiver(s) could decrypt

I think there was resistance to government level identity management in the past. Even the “Real ID” initiative at the state level has had it opponents and resistances. Nobody trusts the government.
What I think could happen is that a new industry will arise around maintaining trusted identities for personal commerce, communications, and other independent activities.
Certainly, governments could establish standards for which they accept identities maintained by these independent service providers (FIPS 201-2 style PIV-I standards).
Time will tell… but I think the pressure for such services is rising fast.

There is already a government-level identity management process in place, it’s just not digitized in a way that’s usable in a PKI (yet?). An RA managing certificate creation for a person would require some form of government-issued ID to prove who that person is anyway, most likely. I would certainly hope they don’t just require a Facebook or Google profile, which presents a host of other problems (e.g. fake profiles, requiring PII on social networks, etc.).

“Trust” is a whole other discussion. You say nobody trusts the government, but most people trust a driver’s license as a form of ID, which is government-issued. It would be just as easy to say nobody trusts a corporation, which of course is what Google and Facebook are.

I agree and know very well that the US government has the proven model. However, Joe public may not want that at the electronic level.
Case in point, the Real ID initiative had original intentions to create digital identities as part of the model. Resistance to that aspect was vehement.
Have a read on this section in Wikipedia for the various angles that opponents have to a national ID system:https://en.wikipedia.org/wiki/REAL_ID_Act#Controversy_and_opposition
And that is just in the US. The EU privacy world is even more difficult to navigate.

From a different, business focused angle – If a business model is developed to provide digital identity proofing, lifecycle management, and federated trust support services that has no borders (or at least less borders), then the digital identity can have a greater extensibility than if a specific government issued the digital identity. Although politics could still become an issue for such a model, from a commerce standpoint that is less likely than if a business manages the identity.

As for trusting businesses versus the government, look no further than our credit card industry. Credit card companies and services track all our transactions and sell that data to other businesses for profit… with our permission!
But if the government tracks our activities, even inadvertently while looking for criminals, lawyers start coming out of the woodwork.

It would be an interesting experiment to have a government service and a similar commercial service stand up registration booths next to each other and see where the customers go with.
Hard to say which would win. I put my money on most people applying for both, each for different reasons.

The German “Personalausweis” (ID card, basically compulsory for each German to have) has this function for several years now:https://en.wikipedia.org/wiki/German_identity_card#Chip
(Sorry, the German page has a lot more information, esp. about using Pseudonyms, a PIN code, the “Ausweis App”, etc. )
I have never heard of anyone using it — neither major companies, nor citizen. People don’t trust it, companies don’t think it’s worth the effort.

I’d like to see laptops (& desktops) get built-in fingerprint scanners, like iphones have. You could then use your finger to login where ever without all this nonsense. Perhaps have a password as backup in case your finger isn’t available.

For the fingerprint readers (at least the ones I’m familiar with), if the fingerprint isn’t recognized, it moves on to Windows password credentials. So, you still have a way to login to the machine if the fingerprint fails. Once you’re back in, you can edit/recreate the fingerprint if required. But in my experience, a simple reboot and “retry” of the fingerprint will get it working again.

What is also troubling is that Twitter accounts have been highjacked in the past. Twitter supposedly support using 2FA via Google / Microsoft Authenticator. Problem is that it does not work. Their system continues to use SMS to send the codes rather than relying on the rolling token from the Authenticator app.

Repeated attempts to contact support at Twitter regarding this resulted in zero responses. Its not just my experience others have had the same result after supposedly setting up Google/Microsoft Authenticator on Twitter accounts.

But is SMS 2FA really much less secure? I just have a hard time buying that. The other hardware device is equally susceptible to social engineering, realistically, what is the chance of someone intercepting my 2-factor SMS?

With less effort they could steal more money buying a batch of stolen cards. And I mean waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay less effort. Like the coordination required for this attack is ridiculous. I would speculate that the security community is being incredibly unrealistic in saying SMS 2FA is an issue. If I took a bunch of potential hacks and ranked them by their cost-benefit it would obviously be very near the bottom of all financial fraud hacks.

I could see it being a problem in the future but I doubt there is currently economic incentive for an attacker to pursue that. My perception is that the majority of ‘hackers’ have no real software engineering skills so until someone comes along and builds them a toolkit to execute such an attack I doubt it is really much of a risk, at least relative to other options.

You’re 100% right. It’s impossible to see SMS in transit unless you’re on the operator’s network already with the decryption keys. At that point, you can decode any wireless traffic to the device. At which point, a 2FA compromise is probably the smallest thing to worry about.

I haven’t heard one person give an actual argument, backed up by evidence, that 2FA over SMS is less effective than fob-based.

It’s trivial for a criminal to social engineer a carrier into “upgrading” your line, send a new SIM with your number, and once the criminal has that and activates it, your old device stops working and the new one gets the two factor codes.

With token or authenticator app, the second factor is immune to this type of trivial attack.

At which point it’s no longer an interception of your 2FA, it’s a phishing attack, and one you can at least attempt to defend from. Someone stealing the serial of your fob, or phishing eBay and having them add in a second or replace your fob with their own would be a better analogy in that case.

That form of social engineering attack is getting significantly more difficult as at least one major US carrier, T-Mobile now requires you to verify either an SMS One Time Pin sent to the phone or what I had to do because my phone was lost is go to a physical store to update the SIM card to the SIM card I got with the insurance phone.

I use Authy, 2FA app that mimics Google’s Authenticator. While it is an occasional PITA, I really appreciate the protection. What bugs me are that more and more sites are pushing their own 2FA apps and not accepting others. I don’t want to have 50 2FA apps on my phone!

This is why I use SMS rather than App based 2FA – I would not be able to stand having a different app for every website. (not to mention, forever being short of space on my phone!) As I am certainly not a high-profile target, I think the level of protection it gives is more than adequate.

I wonder if this is related to lingering separation processes from PayPal. If these tokens were initially offered by PayPal, then eBay likely had an agreement to retain access for a time, but that may be coming to an end. Krebs interprets their statement about bringing security in house in contrast to being tied to Verisign, but it may be in contrast to being tied to PayPal.

Full disclosure: I worked for eBay at the time of the separation from PayPal, but I no longer do, I never had access to any information regarding this.

On PayPal, the Symantec VIP app is not supported anymore, at least for setup (existing settings may still work)
I found this out the hard way: On Android, the VIP app is tied to the device id. After a device factory reset, the devise id changes on Android, which requires reinstalling the VIP app, which in turn requires setting up 2FA again with eBay and PayPal.
For PayPal, that errors out, since about the beginning of the year. Their customer support people have no clue about it and were most unhelpful.

@Joe,
Same thing here – last year my Physical VIP card stopped working on both ebay and paypal. I was able to download the VIP app and re-enable it with Ebay, but PayPal errors out and SMS is the only 2FA that still works.

I had similar experience with Symantec VIP app. Initially when I set up 2FA on PayPal when I implemented the use of Symantec VIP app its usage also applied to to eBay.

Then one day I attempted to login to my PayPal account. Repeatedly entering the VIP token ID did not work. I deactivated the app and deleted it after finally getting into my account via secret security questions. I set up SMS verification and only after that did I get a notification from eBay about reverting to the less secure SMS 2FA.

I contacted PayPal and they provided me instructions on how to setup VIP again on PayPal which I did. I just checked and the VIP token still works.

I then contacted eBay via Twitter. Was told that SMS 2FA is the only one they support and that I can not go back to VIP Tokens. They then proceeded to DM me a boilerplate reply

“eBay is committed to providing a safe and secure marketplace for our millions of customers around the world…”

Sigh guess they did some risk management analysis and came to the conclusion that SMS is good enough for the information that they are protecting.

– if you live in a Mobile Phone reception black zone (totally useless)
– in Australia it’s way to easy for someone to port your phone illegally
– I’ve had SMS messages arrive hours or even days late, especially a problem if you’re overseas at the time!!!

+1 on Google Authenticator, at least they can’t port that with the phone

One of the issues with many 2FA systems is what do you do to regain control when you lose the token. With the decentralized nature of the web there isn’t a place you go – they have to resort to using knowledge based questions, but even that process can be hijacked with social engineering.

Using the cellphone has one advantage. If you lose your phone, you have to physically go to your carrier, prove who you are, and you can regain control over your phone number.

Now piggybacking 2FA on top of SMS is far from ideal, but it has the advantage that websites like eBay don’t need to deal with procedures for what happens when you lose your token.

I feel like I’m always missing something here. How exactly does the key fob work? I know that you press the button and get a random code, but how does the computer/website know that you’re typing what is displayed? I’ve read that key fobs aren’t usually connected to the computer via bluetooth or anything like that, so I’m confused how that code is validated upon typing it in.

Typically the tokens are time-synced to the authentication server so they generate the same set of passwords every minute based on a shared algorithm and key. The trick is they need to keep the same time over a span of years – this often requires the occasional resync.https://en.wikipedia.org/wiki/Security_token

I tried to figure out how to add 2FA to my eBay account, and could not find even a hint. Then I came across this article. It clearly demonstrates how eBay has made it extremely unlikely that anyone will use 2FA without a huge struggle. Sad.

Wouldn’t a software-based token be a viable middle-ground? Hardware based tokens have a shelf-life; the battery will only last so long. I use a couple different authentication applications (lastpass authenticator, google authenticator) and, as far as I can tell, they provide the same protection (2nd factor, “something you have”) as a hardware-based token. To me, the software-based token, on a phone, provides even more protection assuming your phone auto-locks and has a good password. A hardware-based token, if lost, provides no such protection.